MSI installation with group policy - srv 2008

[lafleur1977]

Hello,

I am having trouble installing msi files to computers using group policy. I have created a partition on the domain controller which stores all msi installation files in folders for each software (e.g. F:\java\java.msi) and the drive is shared with domain admins = full control. Security permissions also have domain admins = full control and the rest are defaults.

When I assign an msi file in gp and assign that gp to the OU, the computers usually see the file when they restart, (installing managed software...) but then goes off straight away and does not install anything.

Basically, can anyone tell me if I'm going wrong somewhere, perhaps permissions wise...

Thanks for any help.

[Jamo]

Is the software installing before the drives are mapped? Try using the UNC path to teh server and share

[jsnetman]

I had this problem. Try assigning the software from an xp workstation with the admin tools installed.

[lafleur1977]

I have pointed the software directly in the gp (\\server\share\java\java.msi). What do you mean about mapping the drive?

I will try assigning the software on a XP pc.

Thanks.

[Jamo]

Has the "Everyone" group got read and execute permissions? If you check the event logs of the machine which isn't installing is there an error relating to permissions or packages?

[lafleur1977]

No everyone does not have read and execute permissions. I will add it and try it. Does it also need to be in share permissions?

Thanks.

[irsprint84]

Add 'domain computers' in group policy auth of group policy object, also have 'system' permission in share

[lafleur1977]

Add 'domain computers' in group policy auth of group policy object, also have 'system' permission in share

What do you mean in group policy auth of gpo?

[irsprint84]

You know where it says auth users? you add it there

[lafleur1977]

You know where it says auth users? you add it there

sorry not sure where you mean exactly, can you elaborate?

Thanks

[mjs_mjs]

No everyone does not have read and execute permissions. I will add it and try it. Does it also need to be in share permissions?

Thanks.

Try adding authed users with read and execute permissions. You will need this in the NTFS security settings on the server and allow access when sharing the folder also. once you have it working you should find that you can start restricting permissions to make it a little more secure. Also deny everyone but administrators from viewing folder contents (list folder:deny it) that way if they do come accross the folder they cant see sub folders of files.

[irsprint84]

Attached

[Domino]

If its an MSI install on startup, you need to allow 'Domain Computers' read (and possibly write) access to the installer and as an apply to in the GPO pane shown above. As its applying before logon.

So domain computers need acces in the share, security and GPO windows.

[mjs_mjs]

What do you mean in group policy auth of gpo?

Group policies have security settings, like folders do, please see attachment.

[Teth]

Your folders need read access for everyone.

If your installing by GPO the PCs will be processing the GPO before anyone logs in so the instalation packages need to be accessible to the workstation. I dunno if a workstation counts as "authenticated user" I have mine set to just be everyone read.